1. What is the proposal being presented for review? Ans: The project will deliver the basic features needed to use Solaris on a x86 and SPARC platforms as a L3/L4 load balancer. ILB Phase 1 project will deliver the following features: o Stateless DSR and NAT operation modes offering the following load balancing algorithms: round-robin, src IP hash, hash, hash o A CLI and a configuration API to configure the various features as well as view statistics and configuration details. o Simple server monitoring features Fragmentation handling by the load balancer will be provided in later phase. The project includes kernel and userland components. The following new packages will provide the ILB userland deliverables: SUNWilbr SMF manifest of ILB service at: var/svc/manifest/network/loadbalancer SUNWilb components delivered in /usr which are: o ilbadm o libilb o libilb.h o ilbd o ilbstat which is to be used by "ilbadm show-statistics" subcommand only. o ilb_ping, ilb_probe which are to be used for server healthcheck The kernel component of ILB will be included in Solaris core package. For details of components please read design doc. We are seeking Standard review and requesting Minor release binding 2. Describe user interactions. * Are new user interfaces being proposed, or existing interfaces being changed? * Explain the similarities in proposed interfaces with existing OS user interfaces (Solaris, Linux, Windows, etc.). * Are there any install time changes? Ans: There are no changes in existing interfaces. The project will implement a new user interface for ILB adminstration. There are no install time changes necessary. 3. What are the exported (defined by your project) and imported (defined by another project that your project then references) interfaces or protocols and their respective stability levels? See: http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ Ans: The core functionality of the load balancer administration will be implemented in a library(libilb) for consumption by the CLI(ilbadm) and 3rd party applications. The new ioctl needed for communication between ilbd and the ILB kernel engine.The ILB project will audit administration using the auditing interfaces that are defined by PSARC 2000/517 Below is the list of ILB project's imported and exported interfaces: Imported Interfaces Interface Classification Comments ============================================================== port_create(3C) Committed Event ports PSARC 2003/462 port_associate (3C) Committed Event ports PSARC 2003/462 ucred_get(3C), pwd.h Committed User credential getpwuid_r() Committed User Credential priv_set(3C), priv.h Committed Solaris Privileges auth_attr.h,exec_attr.h Committed RBAC chkauthattr() Committed RBAC adt_put_event(),adt.h Contract Private Solaris audit PSARC 2000/517 adt_free_event() Contract Private Solaris audit PSARC 2000/517 adt_start_session() Contract Private Solaris audit PSARC 2000/517 posix-spaw(3C),spawn.h Committed Exported Interfaces Interface Classification Comments =============================================================== SIOCILB Private ilbd daemon uses this ioctl to configure the ILB component usr/include/libilb.h Committed libilb functions Committed See Appendix C of design doc ilbadm(1M) Committed ILB CLI. See Appendix B of design doc Note: We are requesting Committed classification for libilb APIs in order to allow its consumption by 3rd party application. 4. Describe any dependencies on hardware (e.g. SPARC exclusive), and on other projects within Solaris. Ans: There are no hardware dependencies. ILB project does not depend on any other project. 5. Projects need to be aware of the overall security of the system and how their components affect it. Which parts of this project are critical to the security of the system to avoid such unintended consequences such as unauthorized system entry, unauthorized access to or modification of data, elevation of privilege, denial of service, ...? Does this project require elevated privilege? A number of specific policies and practices address various aspects of the security of the system. They are found in appendix 1. Which of these are applicable to this project, and how are they addressed? Ans: Please see Section 10.1 of design document. 6. Describe means of observing project functionality and performance, by an end user or by a system administrator. Ans: The ILB project's command line interface, ilbadm, can be used for following observability features: o view configured load balancing rules o view servergroup details o view packet forwarding statistics o view nat connection table o view session persistence table o view server healthcheck configuration details o view server healthcheck results 7. How does the project deal with faults and interruptions? Initialization and restarting? Ans: If for some reason the ILB daemon dies, it's restarted by SMF, and the daemon will send a reset notification to the ILB kernel component to clean up existing states. Iin the event of fatal errors, ilbd daemon will use the libscf function: smf_maintain_instance(ILB_FMRI, SMF_IMMEDIATE) (where ILB_FMRI points at the ILB service instance) to kill the associated running processes and put ILB service into maintenance. 8. How does the project interact with Solaris virtualization technologies (xVM, LDOMs, zones, SunCluster, etc.)? Ans: ILB is orthogonal to hardware virtualization. It can be used inside an exclusive-IP zone. 9. Does this project require administration (i.e., configuration or management)? If so, * How is the project administered, and what sort of review process has this user interface undergone? * Is there a means of aggregating management and/or configuration with other related projects? * Does this project deliver its own administration along with the other components, or is this project an administration interface for other projects? * Are there any external (to Solaris) management interfaces to consider, or being consumed? Projects that require or deliver administrative interfaces are often by their nature security components of the system and should likely address the security question (#5 above, with attention to RBAC and Audit). (See also appendix 2). Ans: The project will provide a command-line interface to administer the load balancer capability. 10. Have you reviewed the Policies and Best Practices? Are there any exceptions this project needs? See http://www.opensolaris.org/os/community/arc/policies/ http://www.opensolaris.org/os/community/arc/bestpractices/ Ans: There are no exceptions. Appendix 1. Security references Plugable Authentication Modules http://opensolaris.org/os/community/arc/policies/PAM/ Audit Policy http://opensolaris.org/os/community/arc/policies/audit-policy/ Service Management Facility (SMF) usage http://opensolaris.org/os/community/arc/policies/SMF-policy/ Install-Time Security http://opensolaris.org/os/community/arc/policies/ITS/ Network Install-Time Security http://opensolaris.org/os/community/arc/policies/NITS-policy/ Secure - by - Default http://opensolaris.org/os/community/arc/policies/secure-by-default/ When to use setuid -vs - RBAC roles and profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ Building RBAC Rights Profiles http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ Adding RBAC Authorizations http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/ Reusable Passwords in Command Line Arguments and Environment Variables http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ Storing Reusable Passwords on a FileSystem http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ Administrative and Security Precedents and Policies http://opensolaris.org/os/community/arc/bestpractices/overview-admin-security/ Security Questions http://opensolaris.org/os/community/arc/bestpractices/security-questions/ Appendix 2. Administrative access and control RBAC (Role Based Access Control): See PSARC/1997/332 Execution Profiles for Restricted Environments http://opensolaris.org/os/community/arc/caselog/1997/332 Privilege: See PSARC/2002/188 Least Privilege for Solaris http://opensolaris.org/os/community/arc/caselog/2002/188 Appendix 3. Policies and Best Practices references http://www.opensolaris.org/os/community/arc/policies/ http://www.opensolaris.org/os/community/arc/bestpractices/